Lazarus Group intensifies attacks on crypto browser extensions: Group-IB

Lazarus Group intensifies its cyber assault on crypto market, deploying sophisticated malware through fake video apps and expanding its targeting of browser extensions.

The notorious North Korean hacking gang Lazarus Group, known for its sophisticated cyber campaigns against the crypto industry, is ramping up its efforts to target crypto professionals and developers. The group has introduced new malware variants and expanded its focus to include video conferencing applications, according to a recent research report by Group-IB, a cybersecurity firm.

In 2024, Lazarus expanded its attacks with the “Contagious Interview” campaign, deceiving job seekers into downloading malware disguised as job-related tasks. The scheme now features a fake video conferencing app called “FCCCall” that mimics real software and installs the BeaverTail malware, which then deploys the Python-based backdoor “InvisibleFerret.”

“The core functionality of BeaverTail remains unchanged: it exfiltrates credentials from browsers, and data from cryptocurrency wallets browser extension.”

Group-IB

Group-IB researchers have also identified a new suite of Python scripts dubbed “CivetQ” as part of Lazarus’s evolving toolkit. The group’s tactics now include using Telegram for data exfiltration and expanding their reach to gaming-related repositories, trojanizing Node.js-based projects to spread their malware.

“After making initial contact, they would often attempt to move the conversation onto Telegram, where they [hackers] would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process.”

Group-IB

Lazarus’s latest campaign highlights their increasing focus on crypto wallet browser extensions, analysts at Group-IB emphasize, adding that the bad actors are now targeting a growing list of applications including MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3, among others.

The group has also developed more sophisticated methods to obscure their malicious code, making detection more challenging.

The escalation mirrors broader trends highlighted by the FBI, which has recently cautioned that North Korean cyber actors are targeting employees in decentralized finance and cryptocurrency sectors with highly specialized social engineering campaigns. According to the FBI, these sophisticated tactics are crafted to penetrate even the most secure systems, representing an ongoing threat to organizations with substantial crypto assets.